HP: Enterprises Still Fail to Manage User Access to Sensitive Data

Even as organizations worry about attackers and cyber-spies going after sensitive data, a recent Ponemon Institute survey found that employees still have too many data-access privileges.

Many companies still fail to adequately manage user privileges and protect sensitive data, exposing them to the risks of data breaches, according to a study from Hewlett-Packard and the Ponemon Institute.

A survey of 5,500 IT professionals around the world found that more than half the organizations were still giving employees access to sensitive, confidential data they didn't need to perform their jobs, Ponemon Institute said in a report released Dec. 12. The survey looked at professionals in a variety of IT roles, such as operations and security management, in 13 countries, including the United States, the United Kingdom, Germany and France.

More than half the respondents say they have access to company data beyond the scope of their job requirements, the survey found. Examples included giving a network administrator access to payroll data or a database administrator access to the customer list.

About 63 percent of the respondents admitted they would look at the data out of curiosity. Many of the organizations did not revoke privileged access after the employee's role or job function changed and they didn't need the data anymore, the report found.

"This study spotlights risks that organizations don't view with the same tenacity as critical patches, perimeter defense and other security issues, yet it represents a major access point to sensitive information," said Tom Reilly, vice president and general manager of the Enterprise Security Products group at Hewlett-Packard, which sponsored the study.

Organizations often focus their defenses on stopping external intruders from gaining access to sensitive data, often forgetting that an outsider who has breached the network will look like an insider, a legitimate employee, Ira Winkler, Codenomicon s chief security strategist, told eWEEK. Organizations shouldn't worry about who is trying to penetrate their systems as much as focusing on how data can be compromised and protect the data accordingly. In most cases, that involves managing who has access to the data in the first place, according to Winkler.

"General business data" such as documents, spreadsheets, emails and other sources of unstructured data were most at risk for snooping, followed by customer data, according to the survey. Mobile, social media and business-unit-specific applications were most targeted. The findings are consistent with a recent Symantec report on malicious insiders who steal corporate data. Business information--such as billing information, price lists and other administrative data--was stolen in 30 percent of the real-world incidents examined in the report.

The problem was often a "culture" problem, according to Ponemon Institute founder and chairman Larry Ponemon. "Somehow, privileged users think they have a right to access," Ponemon said. In the study, 68 percent of respondents said they were "empowered" to access sensitive data.

About a third of the respondents said access-governance policies are in place and strictly enforced. Few organizations had the technology in place to control access or manage how data-access privileges are being used, according to the report.

About 27 percent of respondents said their organizations have technology-based identity and access controls to detect when root-level or system administration access rights are being shared among users. About 24 percent of the survey responders said their organizations combined technology with a business process to control user access. However, 15 percent of the professionals in the survey admitted that access was not really controlled within the organization, and 11 percent said they couldn't detect when access rights were being shared.